1. A method of analyzing data comprising the steps of: 

a) creating a data flow table having an entry for each unique data flow, where 
each data flow entry includes fields selected from the group of fields consisting of origin 
IP address, destination IP address, time-to-live value, packet length, packet number, start 
time, stop time, origin port, destination port, protocol, any other suitable value and any 
combination thereof; 

b) receiving a data packet that includes at least one of said fields listed in step a); 

c) comparing said at least one field of said data packet to at least one user- 
definable set of values; 

d) adding at least one error field to said data flow table that corresponds with said 
at least one field of said data packet identified in step c) that is outside of said at least one 
user-definable set of values; 

e) entering in said at least one error field said at least one field of said data packet 
identified in step c) that is outside of said user-definable set of values; 

f) entering in said data flow table said at least one field of said data packet 
identified in the last step that is within the at least one user-definable set of values; 

g) comparing at least one corresponding entry in said data flow table to said at 
least one field of said data packet entered into said data flow table in the last step; 

h) adding at least one anomaly field to said data flow table if said field of said 
data packet differs from said corresponding entry in said data flow by a user-definable 
value or set of values; 
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i) entering in said at least one anomaly field said at least one field of said data 
packet identified in step h) that differs from said entry of said data flow table by a user- 
definable value or set of values; 

j) identifying data flows in said data flow table for data flows that have ended; 

k) transmitting data flows, data from said at least one error field, and data from 
said at least one anomaly field for said data flows that have ended; and 

1) returning to step b) if there are additional data packets to be processed. 

2. The method of claim 1, wherein the step of adding at least one error field comprises 
adding at least one bitfield, said at least one bitfield containing at least one bit, said bit 
being set to either 1 or 0 as defined by the user. 

3. The method of step 2, wherein said step of entering in said at least one error field at 
least one data packet comprises switching said at least one bit. 

4. The method of claim 1, wherein said data flow table consist of a number of data cells 
arranged in rows and columns. 

5. The method of claim 3, wherein said data flow table consist of a number of data cells 
arranged in rows and columns. 
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6. The method of claim 4, wherein said protocol value may be selected from the group of 
values consisting of e-mail protocols, web page protocols, streaming video protocols, 
streaming audio protocols, ftp protocols, or any other suitable protocol. 

7. The method of claim 5, wherein said protocol value may be selected from the group of 
values consisting of e-mail protocols, web page protocols, streaming video protocols, 
streaming audio protocols, ftp protocols, or any other suitable protocol. 

8. The method of claim 6, wherein said step of identifying data flows that have ended 
comprises identifying data flows in said data flow table for data flows that have ended, 
wherein a flow that has ended represents a completed information transfer between 
computers in a network according to a user-defined set of criteria, said user-defined 
criteria defining termination based on periods of inactivity or periods of activity, or the 
existence of specific flags in said at least one data packet, said flags indicating the 
communication between the two computers has ended. 

9. The method of claim 7, wherein said step of identifying data flows that have ended 
comprises identifying data flows in said data flow table for data flows that have ended, 
wherein a flow that has ended represents a completed information transfer between 
computers in a network according to a user-defined set of criteria, said user-defined 
criteria defining termination based on periods of inactivity or periods of activity, or the 
existence of specific flags in said at least one data packet, said flags indicating the 
communication between the two computers has ended. 
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10. The method of claim 1, wherein said protocol value may be selected from the group 
of values consisting of e-mail protocols, web page protocols, streaming video protocols, 
streaming audio protocols, ftp protocols, or any other suitable protocol 

11. The method of claim 1, wherein said step of identifying data flows that have ended 
comprises identifying data flows in said data flow table for data flows that have ended, 
wherein a flow that has ended represents a completed information transfer between 

computers in a network according to a user-defined set of criteria, said user-defined 

> 

criteria defining termination based on periods of inactivity or periods of activity, or the 
existence of specific flags in said at least one data packet, said flags indicating the 
communication between the two computers has ended. 

12. The method of claim 1, wherein said user-definable set of values is chosen from the 
group of user-definable sets of values consisting of a threshold value below which said at 
least one field of said data packet must not fall, a threshold value above which said at 
least one field of said data packet must not fall, a range between which said at least one 
field of said data packet must fall, a list of values at least one of which said at least one 
field of said data packet must equal, any other suitable set of values, and any combination 
thereof. 

13. The method of claim 8, wherein said user-definable set of values is chosen from the 
group of user-definable sets of values consisting of a threshold value below which said at 
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least one field of said data packet must not fall, a threshold value above which said at 
least one field of said data packet must not fall, a range between which said at least one 
field of said data packet must fall, a list of values at least one of which said at least one 
field of said data packet must equal, any other suitable set of values, and any combination 
thereof. 

14. The method of claim 9, wherein said user-definable set of values is chosen from the 
group of user-definable sets of values consisting of a threshold value below which said at 
least one field of said data packet must not fall, a threshold value above which said at 
least one field of said data packet must not fall, a range between which said at least one 
field of said data packet must fall, a list of values at least one of which said at least one 
field of said data packet must equal, any other suitable set of values, and any combination 
thereof. 

15. The method of claim 1, wherein the step of adding at least one anomaly field 
comprises adding at least one bitfield, said at least one bitfield containing at least one bit, 
said bit being set to either 1 or 0 as defined by the user. 

16. The method of claim 15, wherein said step of entering in said at least one anomaly 
field at least one data packet comprises switching said at least one bit. 

17. The method of claim 16, wherein said data flow table consist of a number of data 
cells arranged in rows and columns. 
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18. The method of claim 17, wherein said protocol value may be selected from the group 
of values consisting of e-mail protocols, web page protocols, streaming video protocols, 
streaming audio protocols, ftp protocols, or any other suitable protocol. 

19. The method of claim 18, wherein said step of identifying data flows that have ended 
comprises identifying data flows in said data flow table for data flows that have ended, 
wherein a flow that has ended represents a completed information transfer between 
computers in a network according to a user-defined set of criteria, said user-defined 
criteria defining termination based on periods of inactivity or periods of activity, or the 
existence of specific flags in said at least one data packet, said flags indicating the 
communication between the two computers has ended. 
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